Category Archives: Cyber Security

Often malware infects the USB disks in such a way that the capacity of the USB disks is reduced. For example, a 8GB USB flash key may show up only as a 500kb USB key in Windows. Even after you remove the malware or format such a disk, the capacity does not change and you are pretty much stuck. But thanks to a tiny software called BootIce, you can now format such a USB disk and restore them back to their original full capacity.

BootIce is freeware for Windows. The download is in form of an portable EXE file. BootIce is a standalone Windows program so it does not require installation.

CAUTION : Formatting and repartitioning your USB disk would cause all the data on it to be erased. Please backup your exisiting data on the USB drive before proceeding.

Insert the affected USB flash key in your computer and then run the BootIce software by double-clicking on the BootIce.exe. Because BootIce needs formatting permissions, so you may see the User Account Control window pop-up in Windows Vista/7. Just give the administrator permissions and BootIce window would open. If you are running Windows XP, then you need to log in with an administrator level account.

Select the destination drive in the BootIce window. Make sure it is the affected USB key that you have inserted. Then click on the Parts Manage button as shown in the picture :

A new window will be opened, showing you the different partitions on the selected USB drive. Here you can different parameters for different partitions on the selected USB disk like the drive letter assigned by Windows and the partition sizes. Click on the button labeled ReFormat USB Disk as shown :

In the Repartition and Format window, select USB-HDD Mode (Single Partition) option from the list of options given. Leave the Partition Alignment to the default (Align to cylinder). Then click on the Next button.

A tiny window showing you to choose the formatting options would pop-up. You should choose either FAT32 or FAT16 as target file system. Most of the USB disks originally come with FAT16 formattting, so you may want to choose FAT16. You can choose any name of your like as the volume label. Click OK to proceed.

You would be shown a confirmation dialog. Make sure you have backed up all the files from the target USB disk. Then choose OK to proceed for repartitioning and reformatting the selected USB flash disk.

If everything goes right, then you should see a congratulations message after a few seconds. Now you can check the USB disk capacity in the Windows Explorer. It should be restrored back to the original full capacity. It is now ready for your use. You can format it again using Windows inbuilt formatting function or just start using it right away.

The IoT security is much-debated topic that needs more attention in near future. It might seem convenient to connect your all home devices to the internet and track them on the move. But, it should be noted that it’s possible that your favorite home-gizmo is spilling your secrets.

For example, take the humble tea kettle boiling a nice cuppa for you. A security researcher in England has been hacking into the smart iKettles all across the country and cracking the private WiFi passwords.

“If you haven’t configured the kettle, it’s trivially easy for hackers to find your house and take over your kettle,” says Ken Munro, a researcher with Pen Test Partners.

The iKettle is actually a ‘smart’ kettle that can be turned on using a smartphone app. But, these smart kettles are reportedly ‘insecure’ if not configured properly and could cause a WiFi kettle hack.

He cracked the home WiFi passwords “easily” and explains the process of WiFi kettle hack: “Attackers will need to setup a malicious network with the same SSID but with a stronger signal that the iKettle connects to before sending a disassociation packet that will cause the device to drop its wireless link.”

So, a skillful hacker can just sit outside your home with an antenna pointed towards the home, boot the kettle off its access point and connect it to his device. Now he can easily steal your passwords in plain text to execute this WiFi kettle hack.

Munro says the security of the Internet of Thing devices is “utterly bananas” and some urgent steps are the need of the hour.

When you hear the word encryption, the first thing that might come to mind is that it’s something only techies or geeks would understand, or use. In reality, the idea of encryption isn’t that complicated. Encryption is a system of mathematical algorithms that encodes user data so that only the intended recipient can read it. As simple as it sounds, the math and extra steps can become onerous for beginners. But before you decide to put it off for other ways to protect your online communications, a few examples might convince you that encryption is one of the best methods to safeguard your privacy, even at times when you think it doesn’t count.

Phone calls, emails, online purchases, social media, and general browsing are online activities we can no longer live without. While we’re constantly looking or sharing information online, our data is fundamentally stored somewhere. Most people aren’t sure where that “somewhere” is, but that data should only be available to the service provider brokering your conversation. It could, however, be visible to the telecom companies carrying your Internet packets, and your supposedly private and secure communications could be intercepted. As many cases have proven, user and company data is increasingly being targeted by hackers and cybercriminals resulting in data breaches and targeted attacks. This reason alone should serve as enough warning to those who haven’t considered protecting their communications via encryption.

What is encryption and how does it work?

“Encryption works best if it is ubiquitous and automatic. It should be enabled for everything by default, not a feature you only turn on when you’re doing something you consider worth protecting.”
-Bruce Schneier, Cryptographer, Privacy and Security Specialist

Encryption enhances the security of a message or file by scrambling the content. To encrypt a message, you need the right key, and you need the right key to decrypt it as well.It is the most effective way to hide communication via encoded information where the sender and the recipient hold the key to decipher data. The concept isn’t that different from children who come up with secret code words and other discreet ways to communicate, where only they can be able to understand the message. Encryption is like sending secret messages between parties—if someone tries to pry without the proper keys, they won’t be able to understand the message.

There are two methods of encryption: symmetric and asymmetric encryption. Symmetric encryption, also known as secret key encryption, pertains to the sender and the recipient holding the same keys to encrypt and decrypt a message. Asymmetric encryption, or public key encryption uses what is called a key pair—a public key for encrypting a message, and a private key to decrypt it.

Encrypting your connection

Using Wi-Fi to connect to the Internet is convenient, but in terms of security, there’s always a trade-off as it won’t be difficult for an intruder to intercept any connection, which could result in stolen user credentials and other sensitive data. This is why many websites use a protocol called HTTPS for encrypting data that’s being sent between sites. While this doesn’t necessarily guarantee absolute security, the risks are reduced as information being transmitted can only be decrypted by the site it was sent to.

Encrypting your data

When it comes to your data, the main purpose for encrypting the data stored in your computer and devices—even if you have created back-ups or secure passwords—is to ensure your privacy, protect your data, and secure intellectual property. This is also known as endpoint encryption, which basically adds an extra layer of protection for the confidential information residing on your PC and devices, data stored in removable media such as USB, CD, DVD, or specific files and folders.

Why do we need it?

While encryption doesn’t magically convey security, it can still be used to protect a user’s identity and privacy. If we are ever being watched, inadvertently or not, we can hide our data by using properly implemented crypto systems. According to cryptographer and security and privacy specialist Bruce Schneier, “Encryption works best if it is ubiquitous and automatic. It should be enabled for everything by default, not a feature you only turn on when you’re doing something you consider worth protecting.”

A new malware is in the town that is disguising itself as Google Chrome to hijack the computer systems of the users. This malware serves you its own intrusive ads and sells your activity to the third parties.

The researchers at Malwarebytes state that this malware deletes Google Chrome and replaces it by installing itself as your default internet browser. This isn’t the end – the malware makes itself the default program for opening multiple files like html, .jpg, .gif, .pdf and web links.

This malware is actually the eFast web Browser that looks just like Google Chrome. It’s even based on the open source Chromium project, so it behaves about the same.

It’s weird to notice that now replacing a browser is actually easier than infecting one. This is so as Google has taken steps to lock down the Chrome extensions by implementing filters lie Google code review and code signing. So, replacing the entire browser could be the new way to attack your PC.

The eFast browser malware also deletes all the Google Chrome shortcut and replaces with its own.

To spot the eFast browser malware, you need to look in the settings. Malwarebytes writes: “It isn’t until you look in the settings that you spot the “about eFast” entry in the menu (or if you type “chrome://chrome” in the address bar).”

After spotting the eFast browser malware in you PC, all you need to do is go to the installed programs list and uninstall the “eFast 000.110010107” entry.

For seven days, hackers used Yahoo’s ad network to send malicious bits of code to computers that visit Yahoo’s collection of heavily trafficked websites, the company said on Monday.

The attack, which started on July 28, was the latest in a string that have exploited Internet advertising networks, which are designed to reach millions of people online. It also highlighted growing anxiety over a much-used graphics program called Adobe Flash, which has a history of security issues that have irked developers at Silicon Valley companies.

“Right now, the bad guys are really enjoying this,” said Jérôme Segura, a security researcher at Malwarebytes, the security company that uncovered the attack. “Flash for them was a godsend.”

The scheme, which Yahoo shut down on Monday, worked like this: A group of hackers bought ads across the Internet giant’s sports, news and finance sites. When a computer — in this case, one running Windows — visited a Yahoo site, it downloaded malware code.

From there, the malware hunted for an out-of-date version of Adobe Flash, which it could use to commandeer the computer — either holding it for ransom until the hackers were paid off or discreetly directing its browser to websites that paid the hackers for traffic.

“Attacking Yahoo’s visitors would be enormously profitable for criminals,” said Vadim Kotov, a malware researcher at Bromium Labs, a software company, who was not involved with uncovering this attack. “So it makes sense that you’d see this particular type of attack there.”

Attacks on advertising networks have been on the rise, Mr. Kotov and other researchers say. Hackers are able to use the advertising networks themselves, built for targeting specific demographics of Internet users, to find vulnerable machines.

While Yahoo acknowledged the attack, the company said that it was not nearly as big as Malwarebytes had portrayed it to be.

“We take all potential security threats seriously,” a Yahoo spokeswoman said in statement. “With that said, the scale of the attack was grossly misrepresented in initial media reports, and we continue to investigate the issue.”

“In terms of how many people were served a malicious ad, only Yahoo would really know,” Mr. Segura said. But he added: “This is one of the largest attacks we’ve seen in recent months.”

Neither company could say exactly how many people were affected.

After news of the attack was revealed, Adobe asked users to update Flash so their computers would no longer be vulnerable.

“The majority of attacks we are seeing are exploiting software installations that are not up-to-date on the latest security updates,” said Wiebke Lips, a spokeswoman for Adobe.

The Deep Web is a place that is hidden from the ordinary world because the browsers used to access the Deep Web, continuously encrypt user data. Due to this constant data encryption, the browsing speeds are slow. Our beloved Tor network has more than 2 million daily users that slow down its performance. To counter this speed issue, five researchers have developed a new Tor-style anonymity network called HORNET: High-Speed Onion Routing at Network Layer.

Compared to anonymity networks like Tor, the HORNET system is more resistant to attacks and it delivers faster node speeds. The researcher team writes, “unlike other onion routing implementations, HORNET routers do not keep per-flow state or perform computationally expensive operations for data forwarding, allowing the system to scale as new clients are added.”

This paper “Hornet: High-Speed Onion Routing at Network Layer” was written by researchers Chen Chen of Carnegie Mellon University, along with David Barrera, Enrico Asoni, and Adrian Perrig of Zurich’s Federal Institute of Technology, and George Danezis from University College of London. Here’s theresearch paper.

To achieve speeds higher than Tor, HORNET doesn’t encrypt data as often- instead it encrypts just the personal stuff. In Tor, anonymity comes at the price of speed. To provide anonymity, Tor takes data and passes it through series of computers before the final destination. Each time, it passes from one computer to the other, the encryption exists and IP addresses change. Thus, it forms a time-taking multilayer network (hence “The Onion Router”).

HORNET nodes process the anonymous traffic at more than 93Gb/s speed.

The basic architecture of Tor and HORNET is same(onion routing). HORNET creates an encryption key set along with the routing info (connection state) on your system. Thus, the intermediate nodes don’t need to build this information each time, as these keys and connection state info is carried within packet headers (anonymous header or AHDR).

According to the research paper, it makes the whole system more secure as the other intermediate computers don’t waste time playing with the senders and receiver’s packets. Thus, the whole process becomes more fast and secure.

It is worth mentioning that HORNET is not yet tested at a large scale, it’s just these 5 researchers. Thus, extensive peer review is needed to adopt systems like HORNET.

Learning to become hacker is not as easy as learning to become a software developer. I realized this when I started looking for learning resources for simple hacking people do. Even to start doing the simplest hack on own, a hacker requires to have in depth knowledge of multiple topics. Some people recommend minimum knowledge of few programming languages like C, Python, HTML with Unix operating system concepts and networking knowledge is required to start learning hacking techniques.

Though knowing a lot of things is required, it is not really enough for you to be a competent and successful hacker. You must have a passion and positive attitude towards problem solving. The security softwares are constantly evolving and therefore you must keep learning new things with a really fast pace.

If you are thinking about ethical hacking as a career option, you may need to be prepared for a lot of hard/smart work. I hope these free resources will help you speed up on your learning. If you decide you pursue ethical hacking as a career option, you may also want to read some

A lot of people (including me before doing research for this article) think that they can become a hacker using some free hacking tools available on web. Its true that some common types of hacking can be easily done with help of tools, however doing it does not really make you a hacker. A true hacker is the one who can find a vulnerability and develop a tool to exploit and/or demonstrate it.

Hacking is not only about knowing “how things work”, but its about knowing “why things work that way” and “how can we challenge it”.

Below are some really useful hacking tutorials and resources you may want to explore in your journey of learning to hack

Hacking For Dummies – Beginners Tutorials

These tutorials are not really simple for anyone who is just starting to learn hacking techniques. However, these should be simple starting point for you. I am sure you have different opinion about complexity of each tutorial however advanced hacker are going to be calling this a job of script kiddie (beginner hacker). Even to acquire the skills of a script kiddie you need to have good understanding of computer fundamentals and programming.

CYBRARY – For those looking to learn ethical hacking skills online, Cybrary provides the perfect platform to do so. Cybrary is a free online IT and cyber security training network that provides instruction in the form of self-paced, easy-to-follow videos. Featuring courses on topics such as Penetration Testing and Ethical Hacking, Advanced Penetration Testing, Post Exploitation Hacking and Computer and Hacking Forensics, Cybrary provides instruction from the beginner to the highly-advanced level of hacking. Additionally, Cybrary offers supplemental study material along with their courses free of charge. With their in-depth training videos and study guides, Cybrary ensures that users develop the best hacking skills.

Cryptography Related Tutorials

Cryptography is must know topic for any aspiring security professional or a ethical hacker. You must understand how encryption and decryption is done. You must understand why some of the old encryption techniques do not work in modern computing world.

This is a important area and a lot of software programmers and professional do not understand it very well. Learning cryptography involves a lot of good understanding of mathematics, this means you also need to have good fundamentals on discrete mathematics.

Websites For Security Related Articles And News

These are some websites, that you may find useful to find hacking related resources and articles. A lot of simple tricks and tips are available for experimenting through these sites for improving yourself to become advanced hacker.

In recent years, many people are aspiring to learn how to hack. With growing interest in this area, a lot of different types of hacking practices are evolving. With popularity of social networks many people have inclined towards vulnerability in various social networks like facebook, twitter, and myspace etc.

Continuous learning about latest security issues, news and vulnerability reports are really important for any hacker or a security professional. Some of the sites that keep publishing informative articles and news are listed here.

EBooks And Whitepapers

Some of the research papers by security experts and gurus can provide you a lot of information and inspiration. White papers can be really difficult to read and understand therefore you may need to read them multiple times. Once you understand the topic well, reading will become much faster and you will be able to skim through a lot content in less time.

Forums For Hackers And Security Professionals

Just like any other area, forums are really great help for learning from other experts. Hundreds of security experts and ethical/non-ethical hackers are willing to share their knowledge on forums for some reason. Please keep in mind to do enough research before post a question and be polite to people who take time to answer your question.

Vulnerability Databases And Resources

Vulnerability Databases are the first place to start your day as a security professional. Any new vulnerability detection is generally available through the public vulnerability databases. These databases are a big source of information for hackers to be able to understand and exploit/avoid/fix the vulnerability.

Product Specific Vulnerability Information

Some of the very popular products in the world require a special attention and therefore you may want to look at the specific security websites directly from vendors. I have kept Linux. Microsoft and apache in this list, however it may apply to any product you may be heavily using.

Tools And Programs For Hacking / Security

There are dozens of tools available for doing different types of hacking and tests. Tools are really important to become more productive at your work. Some of the very common tools that are used by hackers are listed here. You may have different choice of tools based on your own comfort.

Summary

I have tried to compile some of these resources for my own reference for the journey of learning I am going to start. I am not even at a beginner level of becoming hacker but the knowledge of this field really fascinates me and keeps me motivated for learning more and more. I hope will be able to become successful in this.

A lot of people use their knowledge skills for breaking stuff and stealing. I personally think that doing harm to someone is a weak choice and will not have a good ending. I would recommend not to use your skills for any un-ethical endeavor. A single misuse of your skill may jeopardize your career since most companies do a strict third party background check before they hire a ethical hacker or a security personal.

There are dozens of companies looking for ethical hackers and security professionals. There are really good number of opportunities in this area and its really niche compensation segment. You will be easily able to get a decent job without even acquiring all the expert level skills to become a pro hacker.